Our AI Detects Your AI — Revealing the Secret Blockchain DApp World of Bots
Key discovery: AnChain.AI discovered that in Q1 2019 blockchain bots contributed to 51% of unique accounts and 75% of transactions. In other words, every day the equivalence of $6 million USD in transaction volume is driven by bad bots.
AnChain.AI leverages artificial intelligence (AI) to reveal how prevalent bot activity is within the blockchain DApp world. To date, this analysis is the largest scale study of bot activity within the DApp ecosystem.
Similar to how the Internet is suffering from content scraping bots, crypto businesses are inundated with a wide variety of bots which make it difficult to distinguish true business metrics from manipulated ones.
In this analysis, we focus on analyzing the variety of bots that are currently active within the blockchain DApp world. By analyzing the Top 10 EOS blockchain gambling DApp transactions in Q1 2019, we are able to determine that blockchain bots contributed to 51% of unique accounts and 75% of transactions, equivalent to roughly $6 million USD in daily transaction volume!
This report showcases the various blockchain bot behaviors, the challenges associated with detecting them, how our team at AnChain.AI has built a highly accurate deep learning model to detect them at scale, and what can we do about the issue of blockchain bots as an industry.
- In terms of unique accounts, the most active DApp (DApp-1) has only a small percentage of bot activity.
- The remaining Top 10 DApps (DApps-2–10) all have substantial bot activity.
- With 4500+ unique accounts, DApp-2 attracted the most bots (~1900) while it’s organic human generated traffic is lower than that of DApp-1. This dynamic hints at the competitive nature of the DApp world where the runner-ups are leveraging bots in order to augment overall ecosystem usage metrics.
- Without the use of our sophisticated prediction models, DApp leaderboard websites, ratings agencies, investors, developers, and enthusiasts alike will be fooled into believing DApp-2’s significant 200K+ transactions (roughly 4x that of DApp-1 transactions) signals more popularity, value, and usage. Meanwhile the reality is that DApp-1 has the most authentic human accounts and it did not employ a bot army to augment its numbers.
Why does blockchain bot detection matter ?
We are in the early stages of the blockchain technology industry. A lot of new blockchain protocols and businesses are being created within this space, and more often than not, user activity, transaction volume, daily volume, and various other growth metrics are often used as proxies for how successful a DApp, protocol, or business is performing.
Bot activity calls into question the integrity of such metrics and makes the industry much more difficult to understand, regulate, operate, and secure.
In order to truly understand the health of the blockchain industry and the various crypto-assets within, it is crucial to understand how much of the activity taking place within the marketplace is authentic, and how much of it is being driven by bots with unclear incentives.
While bots are by no means a new topic, no extensive research has been done on bots specific to the blockchain industry, especially in the blockchain DApp world.
Back in the legacy economy, almost 40% of all Internet traffic in 2018 alone was bot driven!
These bots are most evident in the millions of “price scraping bots” that crawl across the web of e-commerce sites and the army of Google bots indexing the entire internet to facilitate its search engine.
Within the blockchain industry the impact of trading bots on cryptocurrency exchange volumes, a primary driver of the overall cryptocurrency market, was recently analyzed in a SEC filing report by Bitwise Asset Management. 
This report concluded that, “95 percent of reported Bitcoin volume is fake.” This fake volume is being driven by trading bot accounts that skew blockchain transaction volume datasets to the upside fooling investors, regulators, builders, operators, and enthusiasts in the process.
Background: Blockchain Ecosystem and DApp
Decentralized applications (DApps) are deemed as one of the main driving forces for growth within the blockchain industry and acceptance of blockchain technology by the global consumer. This is reflected by the total DApp transaction statistics, which continue to show a strong rise in Q1 2019.
The top 3 DApp friendly blockchains (EOS, TRON, and ETH) recorded 2,600+ DApps, 253K users, and $43 Million in daily volume as of April 22, 2019.
Statistics for Q1 2019 provided by TokenInsight:
- EOS is the #1 DApp blockchain with $480 million in weekly transaction volume.
- Gambling DApps dominate 65% of all EOS DApp ecosystem transaction volume. Games account for 12%, Marketplaces for 7%, with various uses for the remaining 16%.
- Out of the 1.2 million total EOS addresses, the Top 20 EOS DApp addresses contribute $114 million in weekly transaction value, equivalent to 24% of all ecosystem volume.
- Utilizing our AnChain.AI Platform we analyzed the millions of transactions from the Top 10 EOS Gambling DApps, which represent the majority of overall ecosystem activity.
We chose the Top 10 EOS Gambling DApps because EOS is the most active DApp blockchain, gambling is the most active EOS DApp category, and the top 10 DApps offer the richest dataset of transactions for us to analyze.
Note that all DApp names and addresses are intentionally anonymized.
Blockchain Bot vs. Human Behaviors
Bot: a non-human account operated by software (i.e. artificial intelligence) attempting to behave like a human operated account.
While this report focuses on bot accounts within EOS Blockchain DApps, we are aware that other protocols and blockchain projects have similar bot profiles.
First, let’s look at an easily detected, easily understood EOS DApp bot transaction for illustrative purposes.
The figure below illustrates how the bot account interacted with a gambling DApp on 4/22 and 4/23. Considering that the account displays identical bet behavior and that the timestamp is exactly 24 hours apart, we can quite easily deem this a bot account and rule out having a human operator. This bot is likely to be motivated by earning the 0.25 token dividend within the gambling DApp.
Now, in the following figures we will use product screenshots of the AnChain.AI Platform to showcase real-world examples of the difference between bot and human account behaviors.
Note the repetitive behavior patterns shown in Figure 9 are strong indicators of a bot. This bot, in particular, is interacting with the DApp every 4 hours for more than a week. Human account behavior very rarely displays this behavior when interacting with a gambling DApp. This bot is likely designed around the constraint of avoiding detection engines by playing too frequently; hence, it takes a break every 4 hours.
Figure 10 shows a human player account interacted with the DApp from 4pm PST to midnight within a 24 hour window. One could reasonably estimate this player took a dinner break at 7pm. Secondly, it’s irregular pattern reflects the player exploring different betting options instead of strictly following any playbook.
In essence, the behavior is more volatile, more realistic, and therefore, much more difficult for a bot to replicate. Yet, this is not to say that sophisticated bots cannot behave in a similar fashion because they can, and do. Read on for more information regarding how we detect more sophisticated bots.
Four Blockchain Bot Behavior Sophistication Levels
By analyzing the Top 10 EOS blockchain gambling DApp transactions in Q1 2019 , we have determined that 51% of unique accounts (or over 7,700 accounts of a total of 15,000+ accounts) and 75% of transactions (of a total of ~1 million analyzed) are classified by our machine learning model as bots.
Interestingly, within these 7,700+ bot accounts, we’ve identified four blockchain bot behavior families presented in the figures below. Each heat map depicts a single, dominating bot family in a different DApp.
X axis denotes dates, Y axis denotes hours, and intensity denotes activity level (i.e. number of hourly transactions).
Level 1: Simple Bots — Hyperactive
This bot category is simple to detect due to its apparent bot behavior and hyperactive level. We only encountered this family of bots in a few DApps with one of the top uses of employment being in the form of a trading bot.
Perhaps more interestingly, some of these bots have been running for months and don’t seem to care about being detected. Something that we intend to help the industry address!
Level 2: Moderate Bots — Evading Attention Through Normalcy
These bots seem to be operated by a simple piece of code that wakes up at a predetermined time interval to interact with the DApp, in an effort to remain stealthy and minimize the risk of garnering attention and being detected
Level 3: Sophisticated Bots — Fooling Simple Detection
These are the more sophisticated bots that will add randomness into their execution time interval in an effort to fool simple detection engines. AnChain.AI’s engine confirms these are bots because there is an army of 50 similar accounts all created at the same time by the same EOS account.
Level 4: Blockchain Advanced Persistent Threat (BAPT) Bots — Stealthy, Difficult to Detect.
The 5 suspicious addresses (BAPT hacker group) created 50,000+ self-destructible malicious bots to attack a few popular DApps, stealing over $4 million in 2 weeks.
Note, we are not showing a heatmap in Figure 14 because these transactions individually look like human behavior. But, by using our Situational Awareness Platform (SAP) we are able to connect these isolated accounts using graph theory and reveal this army of coordinated bots that caused catastrophic damage to the DApp’s integrity.
Read more on AnChain.AI’s BAPT detection, here.
Why are blockchain bots challenging to detect?
Pseudonymous blockchain transactions make it more difficult to detect and defend against bots compared to IP based internet transactions or KYC (Know Your Customer) accounts that are governed by a centralized authority, like ICANN or the SEC, for example.
Put more simply, the decentralized nature of the blockchain industry creates a much more arbitrary, and nuanced, operating environment that leaves the door open to bots going undetected for extended periods of time.
While there are currently bot detection solutions, such as:
- Address blacklist databases often collected and maintained by developer/operator communities
- Rule based detection engines, like “IF active_24_hours THEN bot ELSE human”
These solutions suffer from:
- Static blacklists; bot addresses can be replaced anytime, and often grow in rapid fashion making it difficult for manual blacklist input or flagging to be a viable approach
- Sophisticated bots can leverage a range of camouflaging techniques in order to evade multi-variable rule based detection engines
- Iterating and processing much too slowly in a highly dynamic and evolving threat landscape
For these reasons, we need to leverage advanced machine learning to accurately detect blockchain bots in a pragmatic manner that is both:
- Scalable to the amount of bot-reported incidents
- Time-effective (a.k.a. cost effective)
Bad Bot vs Good Bot in Blockchain World
Not all bots are created equal. There are good bots and bad bots in the blockchain world, just like in the Internet world.
How Bad Bots Damage the Blockchain Ecosystem, Economy, and Security
Bad bot usually have malicious intentions, such as:
- Boosting DApp rankings by augmenting transaction metrics, often a proxy of overall business health. This is similar to Internet SEO (Search Engine Optimization) bots that simulate mouse clicks to fool the search engines into listing the desired site higher in results rankings.
- Increasing liquidity of DApp utility tokens. Most DApps are backed by tokenomics, meaning they have a token crypto asset that is actively traded across various crypto exchanges. If there is no trading activity for this token and the exchange where it is listed has an illiquid order book, the token asset will likely face sell-side pressure and decrease in value. A very common use case for bots is employing them as a tool for market making to ultimately increase liquidity of the tokens and prop up, or grow, asset values.
- Earning profits on the payout dividends. Most DApps pay generous dividends, in coins or tokens, to incentivize players to play their DApps (mostly gambling related).
- Sabotaging competitors by congesting the DApp, similar to a Denial-of- Service (DoS) attack on the Internet.
- Launching BAPT (Blockchain Advanced Persistent Threat) attacks on targeted vulnerable DApps. 
Why Good Bots Exist
Good bots are often developed by the DApp team, with the purpose of:
- Running automated product quality assurance tests within the DApp (i.e. quality assurance bot)
- Interacting with human players. For example, DApp players cannot always find sufficient human players to interact with, so a bot player will be deployed to fill the void
What can we do as an industry?
It is evident that the DApp, as the most relevent application of blockchain as of this writing, is currently being heavily influenced by bots; something that the industry needs to understand and address.
Fortunately, just as in the centralized internet, it is real human users who are the main drivers of the decentralized blockchain ecosystem as they drive real capital into the ecosystem and drive adoption. Organic growth of the DApp ecosystem is the key to its success, so ensuring this ought to be a top priority for all DApp developers, operators, investors, and crypto enthusiasts alike.
Although the blockchain industry is currently unregulated, it is clearly trending towards regulation and as the top crypto exchanges come under the SEC’s oversight, trading bots will likely be dealt with in a compliance regulatory context.
That said, the blockchain industry needs to raise awareness on the prevalence of bot activities in blockchains, starting with DApps.
Our recommendations to various sectors, include:
Blockchain Rating Sites:
- All DApp rating sites leverage sophisticated bot detection engines to make sure the rankings are fair, up-to-date with real-time metrics, and the practice of using static blacklist addresses databases is done away with.
- As the platforms where the DApps are hosted and run, protocols ought to discourage DApps from using cheating bots in order to fake volume, transactions, etc. in order to appear higher on rankings.
- Protocol teams have all of the available data for each of the DApps within their protocol, so they ought to lead the charge with transparency and re-focus on driving organic growth which will benefit themselves and the industry in the long-term.
- Focus on organic human user growth. That’s the key to sustained success.
- Invest in good bots that help improve product quality and increase liquidity.
- Do not cheat by building bad bots.
- Defend against malicious bots, such as BAPT (Blockchain APT hackers).
- Reputation systems akin to a FICO credit score need to be in place in order to block suspicious accounts related to bot activities.
How does AnChain.AI detect bots?
We have been tracking transaction behavior for all major blockchains and leveraging advanced techniques in AI / machine learning to classify various behavior categories such as bots, hackers, human, etc, to provide insight to our clients at crypto exchanges, blockchain protocols, enterprise blockchain endeavors, and DApps.
We have been collecting threat intelligence on addresses owned by bots, hackers, malware, etc. With this large curated dataset of known bot accounts, we fine-tuned a highly accurate ML detection engine.
This bot detection engine achieves a 99%+ receiver operating characteristic curve (ROC) score at 10 fold cross-validation (CV).
Our bot detection ML models include:
- Deep Learning (DL), including Convolutional Neural Nets (CNN)
- Ensembles, including Gradient Boosted Tree (GBT) and Random Forest (RF). Accuracy on validation set achieves 99%+.
The reason we also built a tree ensemble model was for better model interpretability. Tree ensemble models make it easier to explain why the AI makes a given prediction via probabilistic feature importance, whereas deep learning models work like a blackbox.
For instance, these are strong indicators (features) our ML model automatically selected out of a pool of 50+ candidates:
- Active percentage. The more active, the more likely it’s a bot.
- Temporal regularity by auto-correlation. Repeated pattern hints at bot behavior.
- Bet size. A bot is more likely to bet at a fixed amount.
This research was initiated in November 2018, and would not be possible without the help of:
- Berkeley Blockchain Xcelerator Professor Alexander Fred-Ojala, Chief Data Scientist at UC Berkeley, for reviewing the machine learning work.
- Amino Capital’s anti-fraud experts.
- Data scientist interns Shengbin (Duke University) and David (Harvard University) for working with AnChain.AI’s Data Platform team.
- Connie Zheng for editorial support.
- TokenInsight for providing statistics on DApps.
- AWS Activate Program for sponsoring the Startup Cloud Credits.
AnChain.AI is an AI-powered blockchain security company with one mission in mind: to secure and grow the blockchain industry by delivering trust through security and operational visibility.
Our team has extensive experience in cybersecurity, artificial intelligence, cloud computing, and big data having previously worked at the likes of FireEye, Mandiant, McAfee, EMC, Pivotal, and other industry leaders.
AnChain.AI is continuously securing top-tier crypto exchanges, protocols, DApps, wallets, custodians, and enterprise with our AnChain.AI platform:
- The Situational Awareness Platform (SAP) proactively protects blockchain ecosystems by providing proprietary artificial intelligence, knowledge graph, and threat intelligence on blockchain transactions. The SAP is able to detect and even predict vulnerabilities and threats before and after they occur.
SAP detected the first Blockchain APT (BAPT) hacker group responsible for stealing over $4 million USD worth of Ether from a DApp smart contract.
- The Smart Contract Auditing Sandbox (CAS) is a cloud based smart contract auditing sandbox that automatically scans most known vulnerabilities (i.e. re-entrancy, overflow, etc.). The CAS is fully automated, fast scanning, accessible in the cloud, and connects to professional auditing experts.
We hope you draw value from this research and will stay tuned as we work to provide similar research for both TRON and ETH DApps.
Please get in touch for any collaborative research efforts moving forward! For more information on our commercial products that can help you secure and grow your blockchain business, please visit our website!
Follow our Twitter social channel for live updates: @AnChainAI
- Clap for the article 👏
- Share the article with your friends 😎
- Follow us 👍
 Distill Network Internet Bot report, 2019. https://resources.distilnetworks.com/white-paper-reports/bad-bot-report-2019
 SEC filing report by Bitwise Asset , March 2019, Managementhttps://www.sec.gov/comments/sr-nysearca-2019-01/srnysearca201901-5164833-183434.pdf]
 BAPT (Blockchain APT hackers). Aug 2018,